Pitfalls WSUS Package Publisher
About how I deployed Package Publisher and a problem that I did not find a solution on the Internet
Somehow they set before me the task to deploy an update server in our little grid for 1000 machines. In general, administration is not my main task, and in the last two years I see windows in my eyes only on very large holidays. But the beloved information technology service said: “You need security, you are engaged.”
So, having gathered the will into a fist, I went to read manuals on how to deploy WSUS. And if everything is simple, understandable, and all the problems that might have arisen have already been met by someone and have been described on forums for a long time, then many questions have arisen with Package Publisher.
What was it for? Because there was a need to centrally update not only the system and Microsoft applications, but also third-party ones, in particular Firefox. And only on those machines on which it is already installed. (As an alternative, LUP was considered, the functionality is about the same, but good people at the forums said that it is no longer supported and it is much more difficult to integrate with WinServ2016.)
')
So WSUS has been deployed. What Windows is worth loving is “Next -> Next -> Done, you are amazing.” The time has come for Package Publisher. All links that are in principle on the Internet to it, lead here . There is also a link to the git, which describes in detail the installation process. Namely: download the archive, unzip, run "Wsus Package Publisher.exe".
In linux, I used to just clone repositories into a githaba. But for what you should not love Windows, everything is not working there. If you download the repository by simply clicking on the green button, then, oh, horror, there will be no EXE file in the archive. Seriously, I tried for 20 minutes to understand what was the catch and where I lost it. It turned out that you just need to download a certain release .
The installation pleased, or rather its absence. The EXE starts up, without any installation, finds WSUS itself (deployed on the same machine) and when connected to it, it reports that there is no certificate and the inability to publish updates.
It is logical to assume that the next step is to feed the WSUS Package Publisher certificate (Tools -> Certificate). You can generate a self-signed. But I really did not want to do that. Moreover, a colleague has recently deployed a local certification server. Interestingly, the certificate download button becomes active only after entering the passphrase . "Close". Having checked in the mmc console that the certificate I need is in the WSUS container, and I’ve sincerely hoped that I would be happy after restarting WSUS with all the associated trusted publishers and trusted root certificate authorities. Aha
When creating an update (how to do it for Firefox, you can read here ), at the last stage the error occurs: “Verification of file signature failed for file:
\\ [serverName] \ UpdateServicesPackages \ AppName_abf10b91-bfa6-44ff-aa54-099e4bf1487d \ a7f3d4b2-02b6-4f0c-ab9b-e38c8de9c3f0_1.cab ”(Cannot check signature for file ...). Google says that the reason is that the certificate is not enough in the container "trusted root certification authorities". But he was there! And not only he! Where I just did not try to put it. Unsuccessfully.
After an hour and a half of unsuccessful attempts, I gave up and decided to use the WPP self-signed certificate. You would not believe what I saw by going to the mmc console.
A special certificate is generated to sign the code.
That is, the certificate must be generated specifically for code signing . More importantly, the private key must be exported ! And then the matter of technology, with the help of GPO to extend the chain of certificates to the network typewriters (here already without the private key), and you can centrally install and update any applications.
So, if you get an error Verification of file signature failed for file , or any other similar one:
Unable to verify the signature for the file \\ [serverName] \ UpdateServicesPackages \ AppName_abf10b91-bfa6-44ff-aa54-099e4bf1487d \ a7f3d4b2-02b6-4f0c-ab9b-e38c8de9c3f0_1.cab
Verification of file signature failed for file: \\ [serverName] \ UpdateServicesPackages \ AppName_abf10b91-bfa6-44ff-aa54-099e4bf1487d \ a7f3d4b2-02b6-4f0c-ab9b-e38c8de9c3f0_1.cab
Somehow they set before me the task to deploy an update server in our little grid for 1000 machines. In general, administration is not my main task, and in the last two years I see windows in my eyes only on very large holidays. But the beloved information technology service said: “You need security, you are engaged.”
So, having gathered the will into a fist, I went to read manuals on how to deploy WSUS. And if everything is simple, understandable, and all the problems that might have arisen have already been met by someone and have been described on forums for a long time, then many questions have arisen with Package Publisher.
What was it for? Because there was a need to centrally update not only the system and Microsoft applications, but also third-party ones, in particular Firefox. And only on those machines on which it is already installed. (As an alternative, LUP was considered, the functionality is about the same, but good people at the forums said that it is no longer supported and it is much more difficult to integrate with WinServ2016.)
')
So WSUS has been deployed. What Windows is worth loving is “Next -> Next -> Done, you are amazing.” The time has come for Package Publisher. All links that are in principle on the Internet to it, lead here . There is also a link to the git, which describes in detail the installation process. Namely: download the archive, unzip, run "Wsus Package Publisher.exe".
In linux, I used to just clone repositories into a githaba. But for what you should not love Windows, everything is not working there. If you download the repository by simply clicking on the green button, then, oh, horror, there will be no EXE file in the archive. Seriously, I tried for 20 minutes to understand what was the catch and where I lost it. It turned out that you just need to download a certain release .
The installation pleased, or rather its absence. The EXE starts up, without any installation, finds WSUS itself (deployed on the same machine) and when connected to it, it reports that there is no certificate and the inability to publish updates.
It is logical to assume that the next step is to feed the WSUS Package Publisher certificate (Tools -> Certificate). You can generate a self-signed. But I really did not want to do that. Moreover, a colleague has recently deployed a local certification server. Interestingly, the certificate download button becomes active only after entering the passphrase . "Close". Having checked in the mmc console that the certificate I need is in the WSUS container, and I’ve sincerely hoped that I would be happy after restarting WSUS with all the associated trusted publishers and trusted root certificate authorities. Aha
When creating an update (how to do it for Firefox, you can read here ), at the last stage the error occurs: “Verification of file signature failed for file:
\\ [serverName] \ UpdateServicesPackages \ AppName_abf10b91-bfa6-44ff-aa54-099e4bf1487d \ a7f3d4b2-02b6-4f0c-ab9b-e38c8de9c3f0_1.cab ”(Cannot check signature for file ...). Google says that the reason is that the certificate is not enough in the container "trusted root certification authorities". But he was there! And not only he! Where I just did not try to put it. Unsuccessfully.
After an hour and a half of unsuccessful attempts, I gave up and decided to use the WPP self-signed certificate. You would not believe what I saw by going to the mmc console.
A special certificate is generated to sign the code.
That is, the certificate must be generated specifically for code signing . More importantly, the private key must be exported ! And then the matter of technology, with the help of GPO to extend the chain of certificates to the network typewriters (here already without the private key), and you can centrally install and update any applications.
So, if you get an error Verification of file signature failed for file , or any other similar one:
- We generate a certificate for our WSUS, where Package Publisher is installed, in the local Certificate Authority Code Signing. The private key must be exported.
- Export the certificate with the private key and add it to Package Publisher after entering the private key. Restarting WSUS.
- We export without a private key and distribute to client machines.
- We update and install any applications centrally and enjoy life.
Source: https://habr.com/ru/post/456470/
All Articles